How Russia hacked the Democratic National Committee

The US Department of Homeland Security and FBI have taken the unusual step of publishing a detailed brief on how they believe Russian intelligence agents hacked the Democratic party and subsequently released thousands of stolen emails.

The report (pdf) has been released alongside a suite of diplomatic sanctions against Russia in retribution for what the US government says is interference in the November election using information harvested from cyber attacks.

The DHS and FBI say they have identified two sets of actors behind what they’re calling an “intrusion into a US political party” in the Summer of 2015 and the Spring of 2016 - running with the labels Advanced Persistent Threat 28 (also known as Fancy Bear) and Advanced Persistent Threat 29 (also known as Cozy Bear).

While the report doesn’t explicitly name the party in question, the events align closely to a breach of the Democratic National Committee’s email system and subsequent leak of 19,000 sometimes embarrassing emails in mid-2016.

The joint DHS/FBI report says APT29 sent out about 1000 spearphishing emails in the US Summer of 2015, many of which ended up in the inboxes of US government employees and at least one which was opened by a member of the US Democratic party.

He or she activated an attachment that delivered malware to the Democrat’s internal systems, which then escalated privileges and ultimately sent back exfiltrated emails via an encrypted connection.

APT29 is known for emails that contain web links that would take the victim to a malicious dropper, and infect networks with remote access tools (RATs).

The second hacking group, APT28, followed up in Spring 2016 with another round of malicious emails targeting Democratic party members, which directed recipients to a fake webmail domain and prompted them to change their password, harvesting login credentials in the process.

The agencies said “using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members”.

“The US government assesses that information was leaked to the press and publicly disclosed.”

The pair covered their tracks by setting up dedicated operational infrastructure to hide their source infrastructure.

They used domains that very closely mimicked legitimate domains to harvest credentials, and used information gathered during spearphishing campaigns to craft highly targeted subsequent attacks, the US government claims.

After the incidents, the agencies said, “actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack”.

The officials have released a list of file hashes, IP addresses and a Yara signature for network administrators to use to help them identify any APT28 or APT29 activity on their own networks.

“Network administrators are encouraged to check their public-facing websites for the malicious file hashes,” they advise.

“System owners are also advised to run the Yara signature on any system that is suspected to have been targeted by [Russian intelligence] actors”.